
Statement for the Record 


The Honorable Christopher Krehs 
Director 

Cybersecurity and Infrastructure Security Agency 
U.S. Department of Homeland Security 

FOR A HEARING ON 

China ’s Non-Traditional Espionage Against the United States: 
The Threat and Potential Policy Responses 

BEFORE THE 
UNITED STATES SENATE 
COMMITTEE ON THE JUDICIARY 


Wednesday, December 12,2018 


Washington, D.C. 


Chairman Grassley, Ranking Member Feinstein, and members of the Committee, thank 
you for the opportunity to testify regarding current economic and cyber threats from China. The 
Department of Homeland Security (DHS) serves a critical role in safeguarding and securing 
cyberspace, a core homeland security mission. The Cybersecurity and Infrastructure Security 
Agency (CISA) at DHS leads the Nation’s efforts to ensure the security and resilience of our 
cyber and physical infrastructure. Thanks to Congress’s leadership and passage of the 
Cybersecurity and Infrastructure Security Agency Act of 2018 (P.L. 115-278), we are now even 
better poised to further the maturation of the organization to best reflect our essential mission 
and role in securing cyberspace. 

DHS is responsible for assisting civilian Federal Government agencies to protect their 
networks and collaborating with Federal agencies; state, local, tribal, and territorial (SLTT) 
governments; and the private sector to defend against cyber threats to our Nation’s critical 
infrastructure. Our work enhances cyber threat information-sharing between and among 
governments and businesses across the globe to stop cyber incidents before they occur and 
quickly recover when they do. By bringing together all levels of government, the private sector, 
international partners, and the public, we are enabling collective defense to protect against 
cybersecurity risks, improve our whole-of-government incident response capabilities, enhance 
information sharing of best practices and cyber threats, and strengthen resilience. 

Cyber Threats from China 

Cyber threats remain one of the most significant strategic risks for the United States, 
threatening our national security, economic prosperity, and public health and safety. The past 
several years have marked a turning point in the cyber domain, at least in the public 
consciousness. We have seen advanced persistent threat actors, including hackers, cyber 
criminals, and nation-states increase the frequency and sophistication of these attacks. Our 
adversaries have been developing and using advanced cyber capabilities in attempts to 
undermine critical infrastructure, target our livelihoods and innovation, steal our national 
security secrets, and threaten our democracy. 

The distinction between criminal and nation-state activity is likely to become increasingly 
blurred as some countries view cyber criminal tools as a relatively inexpensive and deniable 
means to support their goals. Transnational organized cyber criminals pose substantial risks to 
financial and payment systems and develop capabilities that are often coopted by various state 
actors. Nation-state threat actors such as China, Russia, Iran, and North Korea have used cyber 
intrusions to steal private sector proprietary information and sabotage military and critical 
infrastructure. 

China will continue to use cyber espionage and bolster cyber attack capabilities to 
support its national security priorities. The intelligence community and private-sector security 
experts continue to identify ongoing cyber activity from China, although at volumes significantly 
lower than before the bilateral U.S.-China cyber commitments of September 2015. Most 
detected Chinese cyber operations against U.S. private industry are focused on cleared defense 
contractors or information technology and communications firms whose products and services 
support government and private sector networks worldwide. Since 2015, China has been 
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advancing its cyber attack capabilities by integrating its military cyber attack and espionage 
resources in the Strategic Support Force, which it established in 2015. 

China continues to target U.S. Government and private sector entities. These activities 
are evidenced by the recent indictment of a Chinese operative on charges of economic espionage 
and attempts to steal trade secrets from U.S. aviation and aerospace companies. There have also 
been indictments against a state-owned enterprise in China, a Taiwanese company, and three 
individuals on crimes relating to a conspiracy to steal, convey, and possess stolen trade secrets of 
an American semiconductor company. China has been responsible for the theft of intellectual 
property, including trade secrets and other confidential business information, with the intent of 
providing competitive advantages to companies or commercial sectors. This is of special 
concern to us from a supply chain risk management perspective for information and 
communications technology (ICT). 


Cybersecurity Priorities 

DHS, our government partners, and the private sector are engaging in a more strategic and 
unified approach as we work to improve our Nation’s overall defensive posture against malicious 
cyber activity. In May of this year, DHS published a Department-wide Cybersecurity Strategy, 
which outlines a strategic framework to execute our cybersecurity responsibilities during the next 
five years. Both the Strategy and Presidential Policy Directive 21- Critical Infrastructure 
Security and Resilience, emphasize that we must all maintain an integrated approach to 
managing risk. 

The National Cyber Strategy, released in September, reiterates the criticality of 
collaboration and strengthens government’s commitment to work in partnership with industry to 
combat cyber threats and secure our critical infrastructure. Together, the National Cyber 
Strategy and DHS Cybersecurity Strategy guide DHS’s efforts to secure federal networks and 
strengthen critical infrastructure. For example, the Department uses its authorities to ensure 
agencies are updating and patching systems, strengthening their email security, and removing 
problematic technology from their systems. DHS also works across government and industry 
critical infrastructure partnerships to share timely and actionable information as well as provide 
training and technical assistance. 

DHS’s CIS A, which includes the National Cybersecurity and Communications Integration 
Center (NCCIC), provides entities with information, technical assistance, and guidance they can 
use to secure their networks, systems, assets, information, and data, by reducing vulnerabilities, 
ensuring resilience to cyber incidents, and supporting their holistic risk management priorities. 
The NCCIC operates at the intersection of the private sector, state and local governments, federal 
departments and agencies, international partners, law enforcement, intelligence, and defense 
communities. The Cybersecurity Information Sharing Act of 2015 (P.L. 114-113) established 
DHS as the Federal Government’s central hub for the automated sharing of cyber threat 
indicators and defensive measures. The automated indicator sharing (AIS) capability allows the 
Federal Government and the private sector network defenders to share technical information at 
machine speed. 
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National Risk Management 


Our adversaries’ eapabilities online are outpacing our stove-piped defenses. Specifically, 
there has been a critical gap in cross-sector, cross-government coordination on critical 
infrastructure security and resilience. Working together with the private sector and other 
government partners, we are taking collective action to strengthen cross-sector, cross- 
government coordination against malicious cyber actors. 

With the renaming and refocusing of the Office of Cyber and Infrastructure Analysis as 
the National Risk Management Center (NRMC), housed within CISA, we have stepped up our 
efforts to provide a comprehensive risk management approach to cyber and physical security. 

The NRMC is a core component of DHS’s efforts to take a holistic cross-sector approach to 
managing risks to the critical functions that drive our economy and are necessary to our national 
security. Through the NRMC, government and industry are coming together to create a more 
complete understanding of the complex perils that threaten the nation’s critical infrastructure. 

Supply Chain Risks 

Earlier this year, we established the Cyber Supply Chain Risk Management (C-SCRM) 
program. The C-SCRM program is addressing risks to information and communications 
technology (ICT) supply chains by developing and deploying supply chain risk management 
capabilities for federal agencies, private sector critical infrastructure owners and operators, and 
state, local, tribal, and territorial governments. To ensure our supply chain efforts are inclusive 
of industry, the NRMC recently established an ICT Supply Chain Risk Management Task Force. 
The Task Force is the main private sector point of entry our SCRM efforts and is jointly chaired 
by DHS and the chairs of the Information Technology (IT) and Communications Sector 
Coordinating Councils. 

ICT is critical to every business and government agency’s ability to carry out its mission 
efficiently and effectively. Vulnerabilities in ICT can be exploited intentionally or 
unintentionally through a variety of means, including deliberate mislabeling and counterfeits, 
unauthorized production, tampering, theft, and insertion of malicious software or hardware. If 
these risks are not detected and mitigated, the impact to the ICT could be a fundamental 
degradation of its confidentiality, integrity, or availability and potentially adverse impacts to 
essential government or critical infrastructure systems. 

Increasingly sophisticated adversaries seek to steal, compromise, alter, or destroy 
sensitive information on systems and networks, and risks associated with ICT may be used to 
facilitate these activities. The Office of the Director of National Intelligence (ODNI) 
acknowledges that “The U.S. is under systemic assault by foreign intelligence entities who target 
the equipment, systems, and information used every day by government, business, and individual 
citizens.”' The globalization of our supply chain can result in component parts, services, and 
manufacturing from sources distributed around the world. ODNI further states, “Our most 
capable adversaries can access this supply chain at multiple points, establishing advanced, 
persistent, and multifaceted subversion. Our adversaries are also able to use this complexity to 


' https://www.dni.gOv/files/NCSC/documents/products/20170317-NCSC—SCRM-Background.pdf 
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obfuscate their efforts to penetrate sensitive research and development programs, steal 
intellectual property and personally identifiable information, insert malware into critical 
components, and mask foreign ownership, control, and/or influence of key providers of 
components and services.” 

Risks to the ICT supply chain are no longer an emerging threat, they are a pervasive 
threat. However, the rules under which procurements are conducted have not kept pace with the 
evolution of this threat. The Federal Acquisition Regulation is designed to balance the equities 
of the government and the contracting parties, ensuring due process for contractors and 
disclosure of the government’s reasons for pursuing contractual remedies in the event of 
performance or integrity failure. These rules, however, were designed around the procurement 
of commodities and services that were not anticipated to be vulnerable to, nor the target of, the 
sophisticated foreign intelligence activities witnessed in recent years, especially those associated 
with a globalized ICT supply chain. For instance, the current procurement rules and their 
underpinning statutes did not imagine the need to use and protect intelligence information in 
unclassified procurements. 

New rules are needed to combat the threat to our Nation’s federal information technology 
networks when intelligence and vulnerability information identifies risks that cannot be 
mitigated. As such, in the remaining days of this Congress we urge swift passage of S. 3085, the 
Federal Acquisition Supply Chain Security Act of 2018. If enacted, this legislation would 
establish a strategic statutory framework to protect our Federal supply chain by conducting 
supply chain risk assessments, creating mechanisms for sharing supply chain information, and 
establishing exclusion authorities—^both within agencies and in a centralized manner—to be 
utilized when justified. 

Additionally, DHS and our interagency partners are working diligently to implement 
Section 889 of the National Defense Authorization Act for Fiscal Year 2019. This law prohibits 
executive agencies from procuring certain telecommunications equipment and other technology 
from specific companies based in the People’s Republic of China. We will continue to do what 
is necessary to meet this law, and leverage our other authorities to assist federal agencies with 
securing their information systems, including from supply chain risks. 

Conclusion 

In the face of increasingly sophisticated threats, DHS employees stand on the front lines 
of the Federal Government’s efforts to defend our nation’s critical infrastructure from natural 
disasters, terrorism and adversarial threats, and technological risk such as those caused by cyber 
threats. Our infrastructure environment today is complex and dynamic with interdependencies 
that add to the challenge of securing and making it more resilient. Technological advances have 
introduced the “Internet of Things” and cloud computing, and the pending development and 
deployment of 5G telecommunications technology offer increased access and streamlined 
efficiencies, while increasing the footprint of access points that could be leveraged by 
adversaries to gain unauthorized access to networks. As new risks emerge, we must better 
integrate cyber and physical risk in order to effectively secure the Nation. Expertise around 
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cyber-physical risk and cross-sector critical infrastructure interdependencies is where the 
Cybersecurity and Infrastructure Security Agency brings unique expertise and capabilities. 

As the Committee considers these issues, we are committed to working with Congress to 
ensure that this effort is done in a way that cultivates a safer, more secure and resilient 
Homeland. 

Thank you for the opportunity to appear before the Committee today, and I look forward 
to your questions. 
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